Secret Key Generation From Mobility Onur Gungor, Fangzhou Chen, C. Emre Koksal Department of Electrical and Computer Engineering The Ohio State University, Columbus, 43210 Abstract—We consider secret key generation from relative improving its observations. We study the tradeoffs involved localization information of a pair of nodes in a mobile wireless and show that, while in some cases it may be possible to network in the presence of a mobile eavesdropper. Our scheme increase the beacon rate unboundedly with the number of consists of two phases: in the first phase, legitimate node pair exchanges beacon signals to establish localization information beacons, if the eavesdropper possesses certain capabilities such based on noisy observations of these beacons; in the second as measuring the angle of arrival, increasing the number of phase, nodes generate secret key bits via a public discussion. Our beacons do not necessarily increase the achievable key rate problem can be categorized under the source models of informa- beyond a certain limit. We also study the loss of key rate due to tion theoretic secrecy, where the distance between the legitimate imperfections such as quantization noise and clock mismatch. nodes acts as the observed common randomness. We characterize the achievable secret key bit rate in terms of the observation noise variance at the legitimate nodes and the eavesdropper. This II. RELATED WORK work provides a framework that combines information theoretic Source model of secrecy studies generation of secret key secrecy and wireless localization, and proves that the localization bits from common randomness observed by legitimate nodes. information provides a significant additional resource for secret In his seminal paper, Maurer showed that, if two nodes observe key generation in mobile wireless networks. correlated randomness, then they can agree on a secret key through public discussion [1]. He provided upper and lower I. INTRODUCTION bounds on the achievable secret key rates, considering that the We consider the generation of a common key in a pair of nodes have unlimited access to a public channel, accessible by nodes, which move in R2 (continuous space) according to a the eavesdropper. Although the upper and lower bounds have discrete time stochastic mobility model. An eavesdropper is been improved over time [2], [3], the secret key capacity of the also mobile with a mobility pattern, independently of those of source model in general is still an open problem. Despite this the legitimate nodes. We exploit the reciprocity of the distance fact, the source model has been extended to several different between a given pair of locations, view the distance between settings [4]. the legitimate nodes as a common randomness shared by these There is a vast amount of literature on localization in wire- nodes and utilize it to generate secret key bits using the ideas less networks (see, e.g., [5]–[7], and the references therein). from source models of secrecy. There has been some focus on secure localization and position- We propose a system, in which the legitimate nodes use a based cryptography [8]–[11], however, these works either two stage key generation process: (1) In the first stage, they consider key generation in terms of other forms of secrecy (i.e., repeatedly exchange wireless beacons to obtain information computational secrecy), or fall short of covering a complete regarding the sequence of distances between them over many information theoretic analysis. Also a similar line of work in time slots as they move in the area. The beacon signal wireless network secrecy considers channel identification [12] may contain explicit information such as a time stamp, or for secret key generation. Based on the channel reciprocity the receiving node can extract other means of localization assumption, nodes at both ends experience the same channel, information by analyzing the angle of arrival, the received corrupted by independent noise. Therefore, nodes can use signal strength (RSS), etc. We assume that the eavesdrop- their channel magnitude and phase response observations to per overhears the beacons and tries to deduce the distance generate secret key bits from public discussion. Another no- information based on these observations. (2) In the second table work [13] considers secret key generation from common stage, the nodes communicate over the public channel to agree phase information. Considering a narrow-band fading model, on a “reliable” secure key based on the observed sequence the authors describe a hierarchical structure to generate keys, of relative distances. Using a source model of secrecy, we with applications to multi-node key generation. However, the characterize the achievable secret key bits in terms of the security of the model depends on the fact that eavesdropper’s observation noise variance at the legitimate nodes and the phase observation is independent of the legitimate nodes’ eavesdropper. We show that localization information provides phase observation, which does not hold if the eavesdropper a significant additional resource for secret key generation. observes or estimates the positions and velocities of legitimate Next, we consider the case where legitimate nodes are nodes using the received signals. capable of improving the observation quality by exchanging Note that, our approach of using the distances robust with multiple beacons at a given location. Note however that the respect to channel issues. There may be numerous scenarios improvement comes at the expense of the eavesdropper also in which channel reciprocity does not hold (e.g., presence of ground reflections), which leads to the failure of the The legitimate nodes generate secret key bits from their approaches based on that assumption. However, the distance mobility patterns in two phases: localization and key gen- (or the propagation delay) between two points is identical in eration. In the first (localization) phase, nodes observe the both directions, regardless of the medium. sequence of distances using the beacon signals (e.g., by using the propagation delay (time of arrival) of electromagnetic III. SYSTEM MODEL signals [5]). In the second (secure key generation) phase, the Consider a simple network consisting of two mobile le- nodes generate secret key bits from the common localization gitimate nodes, called user 1 and 2, and a possibly mobile information via public discussion. Now, we explain these eavesdropper e. We divide time into discrete slots {1, ··· ,n}, phases in more detail: where slot i covers the time interval [iT, (i+1)T ). We assume Phase I - localization: At the beginning of each slot i, node 1 T to be large enough for many beacon-signal exchanges to 1 broadcasts a beacon. Considering perfect clock synchroniza- be possible, but too short for a significant location change to tion of the nodes2, nodes 2 and e obtain a noisy observation occur. Hence, we assume the location to be constant within of d12[i] and d1e[i] respectively. Let these observation be dˆ2[i] 2 a slot. Let xj [i] ∈ R be the random variable that denotes and dˆ1e[i]. Similarly, node 2 follows up with a beacon and the location of node j ∈ {1, 2,e} at slot i in cartesian nodes 1 and e observe dˆ1[i] and dˆ2e[i], respectively. With the coordinates. The distance between nodes 1 and 2 in slot i is observations of both the beacons, the eavesdropper also obtains d n d12[i]= |x1[i]−x2[i]|. We use the notation 12 = {d12[i]}i=1. a noisy observation, φˆ [i], of the angle between the legitimate d d e Similarly 1e, 2e denotes the sequence of distances between nodes. The first phase ends after n slots. nodes (1,e) and nodes (2,e) respectively. Hence, the distance Phase II - key generation: In the second phase, nodes 1 and vectors form n triangles, one of which is shown in Figure 1. 2 agree on a secret key based on the observation sequence Furthermore, let φe[i] denote the angle of the triangle at node dˆ = {dˆ [i]}n and dˆ = {dˆ [i]}n by communicating n dˆ dˆ 1 1 i=1 2 2 i=1 e at slot i, and φe = {φe[i]}i=1. For the n-tuples ( 1, 2), over an error-free public channel. This phase is commonly 1d12[i] 2 referred to in the source model literature as the public dis- cussion phase [1]. A public discussion algorithm C1, ··· , Ct is a t step message exchange protocol, where node 1 send d1e[i] d2e[i] messages C1, C3, ··· , at odd steps, and node 2 sends messages φ [i] e C2, C4, ··· at even steps, according to a deterministic function such that e Fig. 1: Parameters of the system H(C |dˆ , C , ··· , C )=0, odd i (1) we denote the joint probability density function as f(dˆ , dˆ ), i 1 i−1 1 1 2 dˆ and define [14] H(Ci| 2, Ci−1, ··· , C1)=0, even i (2) • The mutual information as At the end of the t step protocol, node 1 obtains S1, and node f(dˆ1, dˆ2) 2 obtains S as the secret key, where I(dˆ ; dˆ ) = log 2 1 2 dˆ dˆ f( 1)f( 2)! t H(Sj |dˆj , C )=0, j ∈{1, 2} (3) • The average mutual information as Independent of the localization phase, let the eavesdrop- I(dˆ1; dˆ2)= E[I(dˆ1; dˆ2)] per obtain its global position observation xˆe. Then, eˆ = dˆ dˆ ˆ x • The spectral-inf mutual information rate as { 1e, 2e, φe, ˆe} denotes the set of eavesdropper’s complete observations of the system. We say that secret key bits are 1 dˆ dˆ p- lim inf I( 1, 2)= reliably generated at rate R if ∀ǫ> 0, ∃n,t such that (1), (2) n→∞ n 1 and (3) are satisfied, and sup β : lim P I(dˆ1; dˆ2) <β =0 n→∞ n H(Sj )/n = R, j ∈{1, 2} • The spectral-sup mutual information rate as P(S1 = S2) ≤ ǫ 1 e t p- lim sup I(dˆ1, dˆ2)= I(Sj ; ˆ, C )/n ≤ ǫ, j ∈{1, 2} n→∞ n 1 The problem of finding a public discussion algorithm inf α : lim P I(dˆ1; dˆ2) > α =0 n→∞ n C1, ··· , Ct that maximizes R is out of the scope of this paper.